REST

A few weeks back, I attended my first RESTFest “unconfernece””. This was a really great event put on by some fantastic folks. The “everyone talks” aspect of RESTFest is actually awesome idea for a conference this size. This format is great because if you’re like me, you had some things you wanted to get some feedback on and this provides the forum to do just that. Everyone gets a chance to do a quick 5-in-5 talk about anything. I was looking to get some feedback on some ideas I’ve been considering about push notifications in Web APIs.

I titled my talk “Real-Time Web APIs,” but I’m no so much interested in Web APIs that follow “real-time computing” constraints. Really, I’m looking to see if there’s a good way to describe a service that streams push notifications from a Web API that follows “RESTful” architectural constraints. There’s a lot of good ideas out there, but many of them either assume that the client either a web browser or running an HTTP server. Additionally, the mechanism to describe these services need some work.

The Goal

The core building blocks for push notifications are already available, but not so much the means that aid in discovery and the description of such resources. I’d like to be able to organize these pieces so that the following requirements can be met:

Don’t assume that the subscriber is able to receive a callback using HTTP POST. If the subscriber is a web browser or a thick desktop client like a Swing or JavaFX application (yes, people still make these!), or even a nativ app on iOS, running a web server to receive and HTTP callback isn’t always practical or feasible.

Advertise that a given link is exposing a stream of events via a link relation. This might be similar to the monitor link relation, but not necessarily bound to SIP.

The link relation should be able to indicate the media type that event messages are described in, ideally via the type property.

If there’s a sub protocol involved, it should also advertise what sub-protocol. If event stream is a media type that supports embedded content, it should also express that as well.

Subscribing to a stream or feed should be simple

WebSockets and HTM5 Server-Sent Events (SSE) present some interesting opportunities for Web APIs that demand low-latency push notifications while also removing the need for a consumer to run an HTTP server. Keep in mind that I’m not talking about doing something like “REST over WebSockets (Shay does make some great points though!),” I’m simply looking for push notifications without the need for for the consumer to run a web server as well as describing the stream via link relations. I think it could be done, but there’s some missing bits.

PubSubHubub

While the protocol is built around Atom and Atom concepts, it could support a variety of media types. It’s using the Content-Type header to express what is coming over the wire.

It sports a discovery model using the rel="hub" link relation either in a link header or a link within an Atom feed.

The subscriber subscribes to the Topic URL from the Topic URL’s declared Hub(s) using the PubSubHubbub subscription protocol.

Publishers ping the “Hub” to notify it of updates, aggregates the content, and sends it to the subscriber using an HTTP POST request to the call hub.callback URL.

What I like about it a lot is the use of hypermedia to do discovery and call backs. Additionally, it’s using standards means to describe what’s coming over the wire. The rel="hub" link relation combined with the script ion protocol is super easy an fit works. My challenge with PubSubHubub is the requirement of an HTTP callback on the part of the subscriber. As stated earlier, this isn’t always possible.

From my perspective, PubSubHubub has the right foundational model. It’s simply HTTP callbacks that are the sticking point. So can we do something similar with WebSockets or Server-Sent Events? I think so, but there’s some challenges with existing formats in order to make this work.

As you can see, the data field could contain nested media type like XML, JSON, or something else. The problem is that that there is no way to indicate that. How does one know that the data field contains structured content such as JSON? The browser gets around the issue by embedding JavaScript in an HTML document that references the stream:

Obviously, the changeHandler function will parse and handle the embedded content. This works great where the subscriber is a web browser (or embedded browser), but for other environments it’s not so easy.

We could express this via a link, but it’d be missing some details. Let’s assume we have a link relation called stream that informs a client that this link represents a stream of events:

It works and declares that the link is a stream of event and it exposes the events via SSE. But the subscriber has no hints that the data field contains JSON or XML content. In cases where the browser, or an embedded web browser, are not available, how does can a client get more information as to process a stream? For SSE, one option might be to include a media type parameter, call it data if you will, that would indicate that the nested type is something like JSON-LD:

It’s just an idea, but it could be workable. I would love feedback on this and would REALLY like to see Microsoft add Server-Sent Events to IE at some point.

WebSockets

WebSockets are neat, but the majority of use cases for streaming notifications only really needs to go one way. The bi-directional nature of the WebSockets protocol is a nice to have but not entirely necessary for most applications. WebSockets by itself really isn’t that useful. A number of WebSocket examples you’ll see are effectively someone’s home-grown, JSON-based, socket protocol. It’s a bit too cowboy for my tastes, but it can get the job done.

Where I do find WebSockets more useful is being able to leverage a well-defined subprotocol over a WebSocket. At the moment, I’m quite of fond of STOMP, particularly STOMP over WebSockets. In a Java shop that is already heavily invested in JMS, STOMP over WebSockets is a reasonable leap given that tools such as ActiveMQ, RabbitMQ, and others are support STOMP over WebSockets now.

Building on the Server-Sent Event examples earlier, we have some similar problems such as:

We still don’t have a good way to indicating what might be coming over the wire

We have a new problem since we’re dealing with another protocol that supports subprotocols, we don’t have a means to identify the sub-protocol that the WebSocket will be using

Here, we’d overload the rel field to indicate that it’s a stream but that it’s also using STOMP as the sub-protocol, specifically STOMP v1.2 (note I’m using IANA WebSocket subprotocol IDs here). Because the URI begins with wss://, we know that we’re using WebSockets over SSL. The type property is indicating that the messages will be using application/ld+json. The problem with both approaches is that if I want to offer another alternate message formats (say JSON-LD or XML), then this solution does really work. But maybe that’s not a problem.

Constrained Application Protocol

One of the great things about attending a workshop like RESTFest is that you’re surrounded by people who are smarter or more experienced than you. After my 5-in-5, Mike Amudsen had a few good questions about what I was trying to do. He then asked if I had considered CoAP, or the Constrained Application Protocol. Having never heard of CoAP, I obviously hadn’t taken it into consideration. CoAP more than likely satisfies a number of my needs. Since it’s still in draft form, it’s not an easy sell yet. Without a doubt, CoAP is something to keep an eye one.

Wrapping Up

Right now, I’m going down the STOMP over WebSockets route. I’d REALLY prefer Server-Sent Events, but the fact that Microsoft isn’t supporting SSE in IE10 and IE11 is AND the corporate standard in most shops, it sadly makes SSE a non-starter. In the coming weeks, I’ll be slapping some code up on GitHub to test out some ideas. I’d love to get feedback on these ideas to see if I’m going off the rails or if these ideas have some merit.

After a months of not blogging and kind of working on my URI Template library, I finally managed to get out version 2.0.1. The new API makes a quite a bit of changes and it does break some things in version 1.x. Here’s a run down of what has changed:

Better error handling. The API can now be more specific about what the error was and more importantly, where it was.

With that out of the way, I’ll be focusing on 1.2 which will change the API a bit, but will finally add reverse mapping so that you can use it to match request URLs to a URI template pattern. It turns out that this is a bit more complicated than I first imagined. A number of folks have pointed to the excellent wo-furi project as this already does reverse mapping. However, it only handles level 1, and maybe level 2 templates. Things get hairy when you start reverse mapping level 3 and level 4 templates.

A few years back, I dabbled a bit with Aspect Oriented Programming and dorked around with JBoss AOP and AspectJ. I created a few aspects an threw them up on Java.net. Over the years, I never really kept up with maintaing the project. Since then, Java.net migrated projects and Handy Aspects was removed. Since then, I have received a few requests for the code and I planned on moving it to GitHub.

But rather than simply throwing the code up there “as-is”, I decided to bring the project up to date a bit. For example, I moved the build from Ant to Maven and brought the dependencies up to the latest versions. I also removed JBoss AOP version and everything is now based on AspectJ. With that said, you can follow and fork the new project Handy-Apsects project here.

Over the past few days I have been reading up on the State Chart XML spec. Ever since reading some of Stu Charltons ideas on a RESTful Hypermedia Agent and listening to his WS-REST keynote presentation, I’ve taken more of an interest in hierarchical state machines and began taking a more in-depth look into SCXML.

I really like the concept of SCXML, but I’m not sold on the design. I don’t really have issue with the use of XML in general, I get it. However, the executable XML content bit is really hard to get past. Expecially when a scripting evironment is available to the SCXML environment. I can debug JavaScript code with a number of tools. Executable XML content? Not so much. For me, the executable content bit is the technical equivalent of a two-bagger.

After a few weeks of tweaking, I put out a new release of Handy URI Templates. What’s important about version 1.1.2 is that it is now being tested against the uritemplate-test suite started by Mark Nottingham. Most importantly, it is also now passing all tests. Additionally, this release also marks the introduction of expression validation as well. If you’ve been using the 1.0.x versions, I’d highly recommend moving up to 1.1.2.

URI Templates can make interacting with the web APIs like the Facebook Graph API a little easier. Here, I’ll show you how you can use URI Templates to create request URIs into the Facebook Graph API using the Handy URI Templates library. The URI Template examples described should be usable by any RFC6570 URI Template processor, but I’ll be focusing on how to use the Handy URI Templates API in Java. If you’re using PHP, have a look at Michael Dowling’s excellent Guzzle Framework which has great URI template support.

URI Template Basics

We’ll assume you have some familiarity with URI templates. Basically, a URI template is expression where replacement variables are identified by the text between ‘{‘ and ‘}’, like so:

https://graph.facebook.com/{id}

Where {id} is the name of the variable. This is similar to how paths are expressed in JAX-RS, and OpenSearch URL template syntax . The RFC6570 spec provides a lot more details on the URI template standard syntax, so we’ll focus on how to use URI templates in conjunction with the Facebook Graph API.

Facebook Graph API Basics

For the most part, most URIs in the Graph API follow the basic pattern of hostname + id. In a URI template, this pattern can be expresed as:

https://graph.facebook.com/{id}

When the template variable is expanded, it will allow you to create URIs that can be used request resources like so:

Because the {id} variable can contain sub paths, we need a way to express that. If we have want to express a URI template that gets a users information or the users photo albums, we need additional path segements. We could use multiple path segments with more variables, but this can make the template more complicated. One option is to modify the expression so that {id} can accomodate a single path segement or multiple path segments by rewriting the expression as:

https://graph.facebook.com{/id*}{?access_token}

This does a few things:

By putting the path ‘/’ operator in the variable expression, we’re stating that the values in this variable path segements. By default, if the variable values is an array, Collection or Map, the values will be ‘,’ delimited.

The * modifier means ‘explode’. With an array or Collection plus the explode modifier, the values will be delimited by the ‘/’ operator.

More Advanced Requests

The Graph API has a number of query parameters that modifiy the request. All of these are defined in the Facebook Graph API documenation so I won’t detail them here. With all of the query parameters collected, you end up with the following URI template expression:

Wrap Up

Hopefully this gives you a good idea on both how to use URI Templates in general, and a good insight into how you can use teh Handy URI Templates API. If you want more exmaples, have a look at the code on GitHub here. There are examples for Facebook, Twitter, and GitHub.

The majority of the documentation is available in the README file, so have a gander at that for details on how to use it.Â It’s in the initial phases right now, but it’s a good time to kick the tires and provide feedback.

It often pains me to hear people talking about Â so-called “RESTful URLs”. If you’re using that term, or your spending the majority of you application planning designing URI structures rather than your media types, then chances are you don’t really get the concepts in REST.

Frequently, I see developers sit down and start doodling a “REST API” by mapping out a bunch of URI templates like so:

/users/{userId}
/users/{userId}/stuff
/users/{userId}/stuff/{stuffId}

I’ll admit that I’ve been guilty of taking this approach myself. For one thing, it’s easy to communicate on paper. Most folks in business roles are used to seeing site maps where the content layout and URL structure are usually one in the same. By laying URI templates, you’ve kind of accomplished the same thing. Folks can visualize a high-level structure of your application, but you end up backing yourself into a corner that is difficult to get out of. Stu Charlton perhaps summed it up best in one of his more insightful posts:

If one is thinking of “how to methods map to my URI structures”, we’ve basically lost the plot as to why we have HTTP, URIs and media types in the first place. The goal is to *eliminate* the API as we normally think of it. (It’s not about a library of calls over a network).

The problem is that in approaching application design with the URI structure first is that you’re doing things bassackwards.Â Some people do this because they’ve followed some debatable advice and identified all of the “nouns” their application and started to work out a series of URL patterns that map to these nouns. As they create these URLs, they’ve followed some questionable advice as to what constitutes a “RESTful URL.” Subbu has another nice post dispelling some of those claims, so I won’t get into it here. The problem with doing all of the URI structure work up front is that you end up create a set of type resource URLs end up becoming fixed. Clients now end up coding to a specific set of URI patterns and/or conventions that are only discoverable from your documentation. The URI says nothing about what the data looks like or how the client should interpret it.

Imagine for a moment that you’re a DBA and you’re designing a set of database tables. Which of the two activities are you likely to spend more time on:

The structure of your primary keys

The schema of your database tables

A few of us would opt for something like MySQL’s auto-increment function and we’d be spending the majority of our time on describing the schema. In designing a RESTful application, you should be focusing on the design of your media types rather than what your URLs look like. To be more blunt: you must be focusing your efforts on what the hell your data looks like to consumers of your application. In addition to that, you need to think about how you are expressing links to other resources within your application or resources that are external to it.

This isn’t to say that URL design should be arbitrary and delegated to your web framework of choice. Of course not, you should still have URI strategy. The point is that the specific URI structures are not what consumers of your API will have to deal with directly. It is bad form to make a client rely on “out-of-band” information to construct a URI in your own special little way in order to get into your application. Take this blog post for example. You likely followed a link posted somewhere else. It could have been from an Atom feed, a search result in Google, or a Bit.ly link off of Twitter. It is highly unlikely that you had to type in the URL yourself and figured out the WordPress permalink structure that I have enabled on this site. If you did do that, well then, you’re awesome!

The fact is that clients will enter your application from some entry point or bookmark you’ve defined (.well-known is looking promising), or somewhere else on the web. Unless you’re a major player like Amazon, Facebook, or others, these clients won’t know that you have documentation that painfully detail your APIs URI structures. These clients will simply follow a link into your application. They didn’t type it in according to your fancy-schmancy URI template scheme that is only found in your documentation. Â The URL is only a means to identify an locate a resource on the web, it does not define how the resource is represented or make suggestions as to what it’s about (remember that URIs are opaque?).Â At the end of the day, the client is going to have to be able to understand the media type that is retuned by requests made that URI. If you spend all of your time up front mapping methods to URI structures, you’ll end up introducing a coupling that you can’t easily break free from.

Continuing my with my ranting about the URL vs. URI bit, I thought I’d continue on given my renewed interest in this topic thanks to Ora. In our LEDP position paper, we made the observation that URLs represent queries while URIs are identifiers. If you’re wondering why you should care about this subtle distinction, please read on.

URLs as Queries

We’ve stated that URLs are queries, but what does that really mean? Those of you familiar with blog software such as WordPress, know that the default URL pattern might go something like this:

Here, the URL forms a query for a blog post using its internal identifier. In this case, the URL is asking the WordPress database for a post and related items using the primary key of a row that represents the post. For most, it’s pretty obvious that the query parameter “p” refers to the internal identity of the post.

As we mention in the paper, there are many other ways to construct URLs to the same post. For example, we can embed the ID into a path segment:

http://damnhandy.com/archives/399

In all of these cases, the server application is interpreting the URL and using elements of the URL to internally resolve the information the client requested. While I’ve only singled out WordPress, this pattern is quite common among several web application frameworks.

Internal Identity vs. Global Identity

When folks put information on the web, the content they publish usually has two identities:

An Internal or local identity. This maybe the name of a file (i.e. “me.jpg”) or a the primary key of a row in a database.

An external identity which is the ID of the information you’ve published. On the web, this is the “global identity” exposed by the URL of the content

Often, people don’t tend to think about either much. The global identity of a resource is usually an after thought and is determined by the underlying framework driving the application. With web servers serving up documents, we’re usually exposing the the local file name of the of the document. With database driven applictaions, we’re exposing the primary key, or some alternate key, of a row in a database. Quite often when web applictaion changes frameworks, we see the global identity change too and the URL patterns change (i.e. .NET to Java’s JSP, to Ruby, etc.).

Using the previous WordPress example, we know that the internal blog post ID is “399”, but this internal ID really isn’t suitable as a globally unique, unambiguous identifier. Another blog using WordPress, running the same exact version of the software, could also have a blog post ID of “399”. This does not means that the two sites have the same content, it only means that the two instances happen to have a post with an internal ID of “399”. As you might have noticed, the value “399” isn’t a suitable web-scale identifier. We need something else.

URIs uniquely identify resources but a URI used to fetch something is not always a good candidate to serve as a unique identifier in client applications.

And this is where I feel that the core confusion with URLs and URIs: identity vs. location. If we look at his initial example, he desribes the following:

AZA12093
...
ADK31242
...

In his example, the internal identity of each account is being expressed through a path segment in the href attribute of the link element. This approach is functional and is similar to that of the previous WordPress example.

The problem with this approach is that the ID values are only unique within the domain “bank.org”. There’s no reliable way to assert that two sites are referring to the same account if we have to rely on the value of a path segment or query parameter. As stated earlier, if we take WordPress as an exmaple again, blog post “399” might talk about the Kardashians, or something else. There’s no gurantee that the two URLs refer to the same information if they share the same internal identity. Most likely, they don’t.

You might wonder what the hell is going on here since it looks pretty much the same as the first example. The difference is that we’re saying that the ID and the link are identical. That is, the identity of the account is the URI. That URI also happens to be a URL that can be dereferenced. This works, and it’s considered basic principle of Linked Data.

However, there are some problems with this approach too. As Subbu rightly points out, URIs are not always cool URIs. We are all aware that URIs do change at some point. If Bank.org is acquired by BiggerBank.com, what happens to the ID since we tied the ID to a host name that is likely to be retired soon?

One solution is to follow good web practices and maintain the bank.org domain and either redirect requests to the older URLs to the new ones. Adobe does this with links to FurtureSplash and Macromedia Flash locations. These URLs all resolve to the Adobe Flash product pages.

This strategy allows us to keep the original identity but the link is changed to accommodate the new domain. We can expand on this strategy and change the value of the link:

Yes, it looks ugly and weird, but it’s valid and it works. If you look closely, it’s not much different from the initial WordPress URL. The only difference is that we’ve replaced a numeric identifier for a URI. It’s a URI that references another URI, but it is valid. For some reason, people just don’t like URLs that look like this.DBPedia does this since they’re describing data on Wikipedia:

The big difference with this approach is that it’s clear that the identifier is globally unique. There’s significantly less ambigutity about the ID: http://en.wikipedia.org/wiki/BMW_7_Series_(E23) than the ID:Â BMW_7_Series_(E23). Because no one else can mint valid URLs within the Wikipedia domain, you can have greater confidence that multiple applications are referring to the same thing. URIs as identifiers are globally unique.

The global identity of information resources shouldn’t change as frequently as it does. It drives my wife apeshit that all of her recipe bookmarks change everytime MarthaStewart.com updates their site. Part of the problem I believe is that most folks doing Information Architecture don’t take identity into consideration and that a fair number of web frameworks do very little to assist in quality URI/URL design. But this post is long enough, so I’ll save that for another post.